Network security is the cornerstone of operations and maintenance, and mastering iptables and firewalld is an essential skill for every Linux administrator. This article will take you deep into the core principles and practical techniques of these two major firewall tools!
1. Introduction to iptables
iptables is a command-line tool for managing firewall rules in Linux, operating as part of the Linux kernel’s netfilter framework to control incoming and outgoing network traffic.
Compared to firewalld, iptables is rule-based, where each rule must be defined independently, while firewalld is zone-based, applying rules to predefined or custom zones.
iptables is suitable for highly granular and manual configurations, while firewalld offers simpler and more user-friendly dynamic rules.
iptables requires a refresh or restart to apply changes, whereas firewalld supports uninterrupted immediate changes.
iptables is very efficient for static, simple configurations, while firewalld may be slightly slower due to its abstraction layer, but this is generally negligible.
2. Common Options
-A: Append a rule to the chain
-D: Delete a rule from the chain
-P: Set the default policy for the chain
-F: Flush all rules in the chain
-L: List all rules in the chain
-t [table]: Specify the table
-i: Specify the input interface, e.g., eth0
-o: Specify the output interface
-s: Specify the source IP address
-d: Specify the destination IP address
-p: Specify the protocol type, e.g., tcp, udp, icmp
3. Basic Concepts
1. Chains
A set of rules for processing packets
INPUT: Controls incoming packets.
FORWARD: Controls packets forwarded through the system.
OUTPUT: Controls outgoing packets.
2. Tables
Categories of rule processing
filter: The default table for basic packet filtering.
nat: Handles network address translation (NAT).
mangle: Modifies packets.
raw: Configures packets before connection tracking.
3. Rules
Operations applied to packets, such as: ACCEPT, DROP
4. Common Operations
1. List all rules in chains
sudo iptables -L
2. List rules with line numbers
sudo iptables -L –line-numbers
3. List rules in a specific table
sudo iptables -t nat -L
4. Allow incoming traffic on a specified port
sudo iptables -A INPUT -p tcp –dport 80 -j ACCEPT# -A INPUT: Append to INPUT chain# -p tcp: Specify protocol as TCP# –dport 80: Specify destination port as 80# -j ACCEPT: Accept the packet
5. Block traffic from a specified IP
sudo iptables -A INPUT -s 192.168.1.100 -j DROP# -s 192.168.1.100: Specify source IP address
6. Allow traffic from a subnet
sudo iptables -A INPUT -s 192.168.1.0/24 -j ACCEPT
7. Allow outgoing traffic on port 22 (SSH)
sudo iptables -A OUTPUT -p tcp –dport 22 -j ACCEPT
8. Forward traffic between networks
sudo iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT
9. Delete a rule by line number
sudo iptables -D INPUT 2# -D INPUT 2: Delete the second rule in the INPUT chain
10. Set the default policy for incoming traffic to DROP
sudo iptables -P INPUT DROP
11. Set the default policy for outgoing traffic to ACCEPT
sudo iptables -P OUTPUT ACCEPT
12. Save current rules to a specified file
sudo iptables-save > /etc/iptables.rules
13. Restore rules from a file
sudo iptables-restore < /etc/iptables.rules
14. Forward port 8080 to 80
sudo iptables -t nat -A PREROUTING -p tcp –dport 8080 -j REDIRECT –to-port 80
15. Masquerade traffic (NAT)
sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
16. Forward traffic to another IP
sudo iptables -t nat -A PREROUTING -p tcp –dport 80 -j DNAT –to-destination 192.168.1.200:80
17. Log dropped packets
sudo iptables -A INPUT -j LOG –log-prefix “Dropped Packet: “–log-level 4
18. Log accepted packets
sudo iptables -A INPUT -j LOG –log-prefix “Accepted Packet: “–log-level 4
19. View packet and byte counts
sudo iptables -L -v
20. Reset counters
sudo iptables -Z
21. Flush all rules
sudo iptables -F
22. Flush rules on a specified table
sudo iptables -t nat -F
23. Delete all user-defined chains
sudo iptables -X
5. Introduction to firewalld
firewalld is a firewall management tool in Linux that provides dynamic interface management for network traffic. It uses zones to define the trust level of network connections and supports both IPv4 and IPv6.
6. Firewalld Network Zones
drop: Any received network packets are discarded without any reply. Only outgoing network connections are allowed.
block: Any received network connections are rejected with IPv4’s icmp-host-prohibited and icmp6-adm-prohibited messages.
public: Used in public areas, where you cannot trust other computers on the network not to harm your computer, and can only accept selected connections.
external: An external network with masquerading enabled specifically for routers. You cannot trust other computers from the network not to harm your computer, and can only accept selected connections.
dmz: For computers in your demilitarized zone, this area is publicly accessible and can have limited access to your internal network, only accepting selected connections.
work: For work areas. You can generally trust other computers on the network not to harm your computer, only accepting selected connections for home networks.
home: You can generally trust other computers on the network not to harm your computer, only accepting selected connections.
internal: For internal networks. You can generally trust other computers on the network not to threaten your computer, only accepting selected connections.
trusted: Accepts all network connections.
7. Common Examples
1. Start the firewall
sudo systemctl start firewalld
2. Stop the firewall
sudo systemctl stop firewalld
3. Set the firewall to start on boot
sudo systemctl enable firewalld
4. Disable the firewall from starting on boot
sudo systemctl disable firewalld
5. Check the status of the firewall
sudo systemctl status firewalld
6. Reload the firewall configuration
sudo firewall-cmd –reload
7. View active firewall status
sudo firewall-cmd –state
8. List all active zones
sudo firewall-cmd –get-active-zones
9. View rules for a specified zone
sudo firewall-cmd –list-all –zone=public
10. List all zones
sudo firewall-cmd –get-zones
11. Set the default zone
sudo firewall-cmd –set-default-zone=trusted
12. Add an interface to a zone
sudo firewall-cmd –zone=public –add-interface=eth0
13. Remove an interface from a zone
sudo firewall-cmd –zone=public –remove-interface=eth0
14. View interfaces for a specified zone
sudo firewall-cmd –get-zone-of-interface=eth0
15. List all supported services
sudo firewall-cmd –get-services
16. Add a service to a zone
sudo firewall-cmd –zone=public –add-service=http
17. Remove a service from a zone
sudo firewall-cmd –zone=public –remove-service=http
18. Check if a service is running
sudo firewall-cmd –zone=public –query-service=http
19. Make service changes permanent
sudo firewall-cmd –zone=public –add-service=http –permanent
20. Temporarily open a port
sudo firewall-cmd –zone=public –add-port=8080/tcp
21. Temporarily close a port
sudo firewall-cmd –zone=public –remove-port=8080/tcp
22. Make port changes permanent
sudo firewall-cmd –zone=public –add-port=8080/tcp –permanent
23. List open ports in a zone
sudo firewall-cmd –zone=public –list-ports
24. Allow traffic from a specified IP
sudo firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ source address=”192.168.1.100″ accept’
25. Block traffic from a specified IP
sudo firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ source address=”192.168.1.100″ drop’
26. Log and drop traffic from a specified IP
sudo firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ source address=”192.168.1.100″ log prefix=”Blocked: ” level=”info” drop’
27. Make rules permanent
sudo firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ source address=”192.168.1.100″ accept’ –permanent
28. Enable masquerading
sudo firewall-cmd –zone=public –add-masquerade
29. Disable masquerading
sudo firewall-cmd –zone=public –remove-masquerade
30. Forward traffic between zones
sudo firewall-cmd –zone=trusted –add-forward-port=port=80:proto=tcp:toport=8080:toaddr=192.168.1.100
31. Use firewall-offline-cmd in scripts or recovery mode
firewall-offline-cmd –add-service=http
32. Permanently save all changes to disk
sudo firewall-cmd –runtime-to-permanent
8. Conclusion
1. Functions and Uses
iptables is a command-line tool that directly manipulates the Netfilter framework in the kernel to manage network traffic through rule chains and rules. It provides fine control over network traffic, allowing users to define rules based on IP addresses, port numbers, protocols, and more. iptables is suitable for scenarios requiring highly customized and fine control of network traffic.
firewalld is a tool for dynamically managing firewalls, providing the concepts of services and zones to simplify firewall rule management. It uses iptables as a backend but simplifies configuration and management through higher-level abstractions. firewalld is suitable for scenarios requiring quick configuration and dynamic adjustment of firewall rules.
2. Rule Modification and Persistence
iptables requires reloading or saving the rules file after modifying rules for them to take effect, which may cause service interruptions. The rules of iptables will be lost after a system reboot unless saved to a file.
firewalld supports dynamic modification of individual rules without needing to refresh all rules like iptables does. Changes to firewalld rules take effect immediately and support switching between runtime and permanent modes, ensuring greater flexibility and reliability.
3. Configuration Complexity and User-Friendliness
iptables is very flexible and powerful but relatively complex, requiring a deep understanding of networking and firewall principles. It directly manipulates the kernel and offers a wide range of configuration options, making it suitable for advanced users and professional network administrators.
firewalld simplifies the configuration process through the concepts of services and zones, providing predefined rule sets and a visual management interface, making configuration more intuitive and straightforward. It is suitable for users who need simplified management while still requiring a certain level of security.